Security vendor Forcepoint has identified a new mining botnet targeting the Monero cryptocurrency. Using bots to mine cryptocurrencies is nothing new and there have been several claims that botnets are targeting Monero over the last 15 months. This blog by Luke Somerville and Abel Toro goes further. It provides the evidence for an active botnet exploiting SMEs and local government systems in the Haut-Rhin region of France.
Botnet’s speed up cryptocurrency mining
Using a botnet to mine for cryptocurrencies today makes sense. The complexity of the problems to be solved require an ever increasing amount of compute power. This has created a number of cooperatives where members join a mining consortium to share compute power and make money. What is happening here is that cybercriminals are looking for a more profitable route than being part of a mining consortium.
Somerville and Toro reference a Malwarebytes report from January. In that report, researchers looked at the use of the Sundown exploit kit to deploy a cryptocurrency miner. That mining tool was focused on Monero and was being actively updated. It appears from the Somerville and Toro blog that other campaigns to infect machines have been successful. Surprisingly both blogs call out the lack of obfuscation of the code used in the attacks. This has made it easy for the researchers to identify and examine the attacks.
The command and control servers are mainly hosted on legitimate websites. Interestingly the majority of those websites are hosted on OVH. This might be the attackers using sites based in France to get around security controls on the machines. The theory being that security software would expect users to access sites based in France rather than in Vietnam, Russia or China.
Conclusion
It is a surprise that we haven’t seen more campaigns aimed at botnet mining of cryptocurrency over the last few years. The increasing price of most cryptocurrencies is enough to make it attractive. Given the size of some botnets and their cost, it is certain cost effective. What is interesting is that this is targeted at cryptocurrency that is relatively unknown outside the DarkNet.
